Description of problem: If a user manually edits the URL line for /rhn/systems/details/Overview.do to look at a system that they are not entitled to view (for example, an Activation Key Administrator manually changes the url to look at the SID of a system). This results in an on-screen error and a traceback email. Satellite should handle this more gracefully - handle the error, then display a clearer and informative permission error on screen as well as not generating a traceback. Version-Release number of selected component (if applicable): Red Hat Network (RHN) Satellite 5.3.0 How reproducible: Always. Steps to Reproduce: 1. Log in as the Satellite admin, and assign a normal user system group privileges: Click on "Users" > (user name) > check "System Group Administrator" > click "Submit", then click on "System Groups" and make sure user has admin access to one of the system groups. 2. Log in as this System Group admin, click on "Systems" > "System Groups" > (system group name) > "Systems" tab of system group > check the checkbox for a system in the system group > click "Remove Systems". The user no longer sees the system. 3. Navigate to the following URL to try to view the removed system: https://<satellite-hostname>rhn/systems/details/Overview.do?sid=<systemid-of-client> Actual results: The user sees a message on web UI: *** We're sorry, but the system could not be found. This error may have occurred in one of three ways: 1. The system requested does not exist. This is most likely if you arrived at this page through bookmarks or some other non-hyperlink. 2. You do not have permission to view this system. 3. You've found an error in our site. *** In addition, a web traceback email is sent by the Satellite, with a traceback such as: The following exception occurred while executing this request: GET /rhn/systems/details/Overview.do ... Exception: com.redhat.rhn.common.hibernate.LookupException: Could not find server 1000010229 for user 41 at com.redhat.rhn.manager.system.SystemManager.lookupByIdAndUser(SystemManager.java:876) at com.redhat.rhn.frontend.action.systems.sdc.SystemOverviewAction.execute(SystemOverviewAction.java:68) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:237) at com.redhat.rhn.frontend.struts.RhnRequestProcessor.process(RhnRequestProcessor.java:82) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414) at javax.servlet.http.HttpServlet.service(HttpServlet.java:690) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) ... Expected results: UI error stating user does not have access/permissions to view the system instead of saying system not found. Also, no traceback should be generated. Additional info: Proposed fix: add system access check for user in com.redhat.rhn.manager.system.SystemManager.lookupByIdAndUser or com.redhat.rhn.frontend.action.systems.sdc.SystemOverviewAction.execute
Changed it to to print a smaller message such as: 2010-07-28 17:11:57,924 [TP-Processor3] WARN com.redhat.rhn.common.errors.LookupExceptionHandler - Could not find server 1000011505 for user 421 and to not send an email by default. If a customer still wants to send email (with the full traceback), they can set: lookup_exception_email = 1 in /etc/rhn/rhn.conf fixed in spacewalk master: 3e6c2a40cb9f99743c733ffab1e943c9bd3fda26
# VERIFIED against errata.stage (signed packages - Satellite-5.4.0-RHEL5-re20101025.0) Following is the error on catalina.out: --- 2010-10-25 15:45:08,688 [TP-Processor7] WARN com.redhat.rhn.common.errors.LookupExceptionHandler - Could not find server 1000010104 for user 141 Here is the message on UI: --- We're sorry, but the system could not be found. This error may have occurred in one of three ways: The system requested does not exist. This is most likely if you arrived at this page through bookmarks or some other non-hyperlink. You do not have permission to view this system. You've found an error in our site.
The 5.4.0 RHN Satellite and RHN Proxy release has occurred. This issue has been resolved with this release. RHEA-2010:0801 - RHN Satellite Server 5.4.0 Upgrade https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10332 RHEA-2010:0803 - RHN Tools enhancement update https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10333 RHEA-2010:0802 - RHN Proxy Server 5.4.0 bug fix update https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10334 RHEA-2010:0800 - RHN Satellite Server 5.4.0 https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10335 Docs are available: http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/index.html Regards, Clifford